GDPR, data protection officer | Do organizations have to appoint a Data Protection Officer (DPO)? Answer - Not necessarily!
A “Data Protection Officer” (DPO) was always necessary for large enterprise organizations processing personal data. However, for the first time, the appointment of a DPO will be mandatory under the General Data Protection Regulation (GDPR), regardless of company size or whether they are processing personal data in their capacity as a controller or processor. But, before you hire a DPO – STOP and check with the Natuvion team first before you hire unnecessarily.
Which US companies are required to appoint a DPO?
Under the GDPR (Article 37), there are just three scenarios where the appointment of a DPO by a controller or processor is mandatory:
- The processing is carried out by a public authority;
- The core activities of the controller or processor consist of processing operations which require regular and systematic processing of data subjects on a large scale; or
- The core activities of the controller or processor consist of processing on a large scale of sensitive data (Article 9) or data relating to criminal convictions / offences (Article 10).
Until recently, exactly what the terms highlighted in bold above meant has been unclear. However, ‘Guidelines on Data Protection Officers’ published by the Article 29 Working Party (“WP29”) on December 16, 2016, has added the detail that we (you and Natuvion) need to comply with Articles 37, 38, and 39 of the GDPR.